Security Group Comes Out of the Shadows

The Organization for Internet Safety made its formal debut on Thursday.

After nearly a year in the shadows, the Organization for Internet Safety on Thursday formally announced its formation.
The group, made up of security and software vendors, is working on a set of guidelines for handling vulnerability information, which it hopes will bring some order to the chaotic world of security research and vulnerability disclosure. The OIS plans to have a draft of the guidelines early next year.
The foundations for the group were laid at Microsoft Corp.s Trusted Computing conference last fall, when founding members Microsoft, @stake Inc., Guardent Inc., BindView Corp., Internet Security Systems Inc. and Foundstone Inc. formed a loose alliance dedicated to developing a better way to handle vulnerability disclosure. Since then, the members have met several times and have been working on various legal and organizational issues.

Chris Wysopal, director of research and development at @stake in Cambridge, Mass., and Steve Christey, lead information security engineer at The Mitre Corp., in Bedford, Mass., earlier this year submitted a draft vulnerability-disclosure plan of their own to the Internet Engineering Task Force. The IETF ultimately decided it wasnt the appropriate body to consider the draft, but many of the elements of the proposal will likely end up in the OIS document.

The new organization is also forming an advisory board of network security managers. The members will serve one-year terms and must be nominated and approved by OIS members.
New companies of the group include Network Associates Inc., Oracle Corp., Caldera International Inc., Symantec Corp. and Silicon Graphics Inc.
The OIS has adopted a Code of Conduct to govern its members behavior. Interestingly, the code prohibits the publication of so-called proof-of-concept exploit code. Many security researchers, upon finding a new vulnerability, publish a small amount of code to show that the flaw theyve found is in fact real.
Administrators often use such code to test their systems to see if theyre susceptible to the problem. But crackers also use this information to build tools to attack vulnerable machines.
One OIS member said the group is being candid about its methods and plans in an effort to head off some of the misguided criticism it has received in the past.
"One of the criticisms we had was that this was just a way to keep information to ourselves. Were explicitly not doing that," said Scott Blake, vice president of information security at BindView in Houston, Texas. "Some of us feel very strongly about some of the pay-for-information things that are out there."
Some security organizations, such as the Internet Security Alliance, offer their members advance notice of vulnerabilities and access to private information. And at least one security vendor, iDefense Inc., has offered to pay security researchers for early access to vulnerability data and exploit code.
The organization has also prohibited its members from exchanging information on new vulnerabilities before they are made public.
The OIS has no physical headquarters at this point but can be reached at www.oisafety.org.
Related Stories: